Re: [Swan] No ipsec0 device with XFRMi

Mon, 10 Aug 2020 14:23:21 -0700 

I would leave it as ipsec1 but if others think ipsec0 is better I would 
apply this patch. I don't have a strong opinion for either.

One minor reason I didn't use ipsec was exising comments/assumptions in code 
about ipsec0. If we apply this patch we should fix those comments.  xfrmi 
ipsec0 is not the same as KLIPS ipsec0.

Paul commented something here. However, I wonder that message is after this 
patch or before.
https://lists.libreswan.org/pipermail/swan/2020/003616.html 

Paul what do you think of applying this patch? 

-antony

On Thu, Jul 30, 2020 at 08:42:57AM +0200, Wolfgang Nothdurft wrote:
> We don't use marks specifically for klips, but for our whole 
> netfilter/ebtables rule set and for policy based routing.
> We mark/connmark to identify special protocols, incoming interfaces, etc.
> 

> --- a/programs/pluto/kernel_xfrm_interface.c.orig     2020-07-28 
> 15:18:37.770298639 +0200
> +++ b/programs/pluto/kernel_xfrm_interface.c  2020-07-28 15:18:42.878298858 
> +0200
> @@ -563,7 +563,7 @@
>   */
>  static char *fmt_xfrmi_ifname(uint32_t if_id) {
>       char *if_name = alloc_things(char, IFNAMSIZ, "xfrmi name");
> -     int n  = snprintf(if_name, IFNAMSIZ, XFRMI_DEV_FORMAT, if_id);
> +     int n  = snprintf(if_name, IFNAMSIZ, XFRMI_DEV_FORMAT, if_id - 1);
>       passert(n < IFNAMSIZ);
>       return if_name;
>  }
> @@ -573,7 +573,7 @@
>       err_t err = NULL; /* success */
>  
>       if (xfrm_interface_support == 0) {
> -             char *if_name = fmt_xfrmi_ifname(IPSEC1_XFRM_IF_ID);
> +             char *if_name = fmt_xfrmi_ifname(IPSEC1_XFRM_IF_ID - 1);
>               char lo[]  ="lo";
>  
>               if (dev_exist_check(lo, true /* ignore error */)) {
> @@ -755,7 +755,7 @@
>        */
>  
>       char if_name[IFNAMSIZ];
> -     snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, 
> IPSEC1_XFRM_IF_ID); /* first one ipsec1 */
> +     snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID 
> - 1); /* first one ipsec1 */
>  
>       unsigned int if_id = if_nametoindex(if_name);
>       if (if_id != 0) {
> @@ -776,7 +776,7 @@
>  void free_xfrmi_ipsec1(void)
>  {
>       char if_name[IFNAMSIZ];
> -     snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, 
> IPSEC1_XFRM_IF_ID); /* gloabl ipsec1 */
> +     snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID 
> - 1); /* gloabl ipsec1 */
>       unsigned int if_id = if_nametoindex(if_name);
>  
>       if (if_id > 0) {

_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to